Proofpoint researchers have identified a phishing campaign attributed to a likely North Korean threat actor. Disguised as job offers or code-review requests, the attacks target software developers and aim to steal cryptocurrency wallets and authentication credentials.
Between April and May 2026, security researchers at Proofpoint observed a phishing campaign in which a likely North Korean threat actor targeted software developers at organisations in the technology, finance, cryptocurrency, and education sectors. The operation, tracked as UNK_DeadDrop, uses GitHub repositories, malicious Visual Studio Code extensions, and cross-platform malware to drain cryptocurrency wallets and extract browser credentials.
The Lures
Attackers sent more than 250 emails to individuals at nearly 100 organisations across multiple sectors, with a particular focus on the cryptocurrency industry. The geographic distribution of targets was global, with the USA as primary target. Emails were sent from attacker-controlled domains and offered positions such as Full-Stack Engineer or Agent Lead Developer, framing the messages as part of a structured hiring process.
To establish credibility, the attackers impersonated real or plausible organisations: Ondo Finance, a decentralised finance platform; Empower Pharmacy; NXLog, a log collection tool; OnePlan, a portfolio management platform; Hypen Connect, a Web3 and AI talent agency; Valon, a mortgage servicer; and Nourish, a telehealth company. A second campaign variant approached developers with requests for peer reviews of ostensibly open-source projects, with platforms named Pulsynk and Trixauvex serving as cover. Reviewers were told a job offer would follow depending on the quality of their submissions. A further variant asked developers to test an ERC-4626 vault in Foundry, a toolkit used in Ethereum and smart-contract development. The most recently observed iteration centred on building AI agent-based systems with payment capabilities.
The Infection Chain
Phishing emails contain links to malicious GitHub repositories dressed as technical assignments or blockchain projects. Victims are instructed to clone the repository and open it in an editor such as VS Code or Cursor. Once the folder is opened, a hidden `.vscode/tasks.json` file automatically triggers a script. That script installs a malicious VS Code extension named `google-update-support.vsix`, which presents itself as a legitimate Google service. Simultaneously, the script decodes and launches platform-specific malware payloads for Linux, macOS, or Windows.
On macOS and Linux, the attacker deploys Go binaries based on the open-source Overlord framework, which function as full remote access trojans. On Windows, the malware runs entirely as JavaScript within the editor’s Electron process, writing no binaries to disk — a design choice that significantly reduces the chance of detection by conventional endpoint security tools. The infection chain’s particular potency derives from the fact that all payloads are embedded directly in the repository, eliminating the need for external download servers that could be taken offline.
The Theft
The cryptocurrency theft proceeds in two phases. In the first, the malware systematically collects all wallet data: it targets 35 browser-based wallet extensions, including MetaMask, Phantom, Rabby, and Keplr, as well as 18 standalone wallet applications such as Exodus, Electrum, and Ledger Live. Browser profiles, local storage, and IndexedDB entries are also swept. All collected data is packaged into a ZIP archive and uploaded to a command-and-control server.
In the second phase, credential theft and safe-storage key extraction take place. On macOS, the malware displays a fake system dialogue prompting the user for their password. Once entered, Keychain ACLs are modified, the process escalates to root privileges, and browser safe-storage keys along with the full Keychain dataset are extracted. On Linux, the Zenity dialog tool is used for the password prompt, after which the malware queries the GNOME Keyring and launches Python processes to extract encrypted keyring schemas. Privilege escalation is achieved via `runuser`. On Windows, a Python script performs a DPAPI and App-Bound Encryption bypass to extract passwords from Chrome, Edge, and Brave, in addition to cookies and other credentials.
Exfiltrated data is transmitted to a command-and-control server at IP address 23.137.105.75. On macOS and Linux, transmission occurs over a persistent WebSocket connection; on Windows, via an HTTP POST request. Beyond wallet data, the malware transmits all browser passwords, cookies, safe-storage keys, and Keychain data, giving the attacker comprehensive access to the victim’s digital infrastructure.
Persistence and Evasion
After completing data exfiltration, the malware removes its payload files and directories to cover its tracks. On macOS and Linux, however, the malicious VSIX extension remains persistent and is reloaded each time the editor starts, ensuring continued control. On Windows, execution is one-time with no persistence mechanism.
Proofpoint analysts note that this approach is particularly effective because it exploits routine developer behaviour: cloning GitHub repositories is a standard daily activity, and the silent execution without visible terminal activity makes the malware difficult to detect. The campaign bears similarities to operations attributed to the North Korean group known as Contagious Interview, but Proofpoint tracks it as a separate cluster due to the absence of direct overlaps in its telemetry.
Threat Actor Context
North Korean threat actors have a documented history of targeting developers. Their methods include disguising attacks as technical aptitude tests or coding challenges, deploying ClickFix techniques, and abusing Visual Studio Code functionality for malware execution. Initial contact is typically made via LinkedIn, Slack, or Telegram, with cross-platform approaches also in use. The consistent targets across campaigns are API tokens, cryptocurrency wallets, and authentication credentials. The UNK_DeadDrop campaign exemplifies the operational maturity of these actors: it combines social engineering at the recruitment layer with technically sophisticated multi-platform malware that exploits trusted tooling at the infrastructure layer.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de